OpenCoverage

ocsp_vfy.c

Absolute File Name:

/home/opencoverage/opencoverage/guest-scripts/openssl/src/crypto/ocsp/ocsp_vfy.c

Source code

Switch to Preprocessed file

Line Source Count

1 /* -

3 * -

4 * Licensed under the OpenSSL license (the "License"). You may not use -

5 * this file except in compliance with the License. You can obtain a copy -

6 * in the file LICENSE in the source distribution or at -

7 * https://www.openssl.org/source/license.html -

8 */ -

9 -

10 #include <openssl/ocsp.h> -

11 #include "ocsp_lcl.h" -

12 #include <openssl/err.h> -

13 #include <string.h> -

14 -

15 static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, -

16 STACK_OF(X509) *certs, unsigned long flags); -

17 static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id); -

18 static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain); -

19 static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, -

20 OCSP_CERTID **ret); -

21 static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, -

22 STACK_OF(OCSP_SINGLERESP) *sresp); -

23 static int ocsp_check_delegated(X509 *x); -

24 static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, -

25 X509_NAME *nm, STACK_OF(X509) *certs, -

26 unsigned long flags); -

27 -

28 /* Verify a basic response message */ -

29 -

30 int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, -

31 X509_STORE *st, unsigned long flags) -

32 { -

33 X509 *signer, *x; -

34 STACK_OF(X509) *chain = NULL; -

35 STACK_OF(X509) *untrusted = NULL; -

36 X509_STORE_CTX *ctx = NULL; -

37 int i, ret = ocsp_find_signer(&signer, bs, certs, flags); -

38 -

if (!ret) {

!ret	Description
TRUE	evaluated 11 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 44 times by 1 test Evaluated by: libcrypto.so.1.1

11-44

40 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, -

41 OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); -

goto end;

executed 11 times by 1 test: goto end;

Executed by:

libcrypto.so.1.1

43 } -

44 ctx = X509_STORE_CTX_new(); -

if (ctx == NULL) {

ctx == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 44 times by 1 test Evaluated by: libcrypto.so.1.1

0-44

46 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE); -

goto f_err;

never executed: goto f_err;

48 } -

if ((ret == 2) && (flags & OCSP_TRUSTOTHER))

(ret == 2)	Description
TRUE	evaluated 19 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 25 times by 1 test Evaluated by: libcrypto.so.1.1

(flags & 0x200)	Description
TRUE	never evaluated
FALSE	evaluated 19 times by 1 test Evaluated by: libcrypto.so.1.1

0-25

flags |= OCSP_NOVERIFY;

never executed: flags |= 0x10;

if (!(flags & OCSP_NOSIGS)) {

!(flags & 0x4)	Description
TRUE	evaluated 44 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-44

52 EVP_PKEY *skey; -

53 skey = X509_get0_pubkey(signer); -

if (skey == NULL) {

skey == ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 44 times by 1 test Evaluated by: libcrypto.so.1.1

0-44

55 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_NO_SIGNER_KEY); -

goto err;

never executed: goto err;

57 } -

58 ret = OCSP_BASICRESP_verify(bs, skey, 0); -

if (ret <= 0) {

ret <= 0	Description
TRUE	evaluated 19 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 25 times by 1 test Evaluated by: libcrypto.so.1.1

19-25

60 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE); -

goto end;

executed 19 times by 1 test: goto end;

Executed by:

libcrypto.so.1.1

62 } -

}

executed 25 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

if (!(flags & OCSP_NOVERIFY)) {

!(flags & 0x10)	Description
TRUE	evaluated 25 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-25

65 int init_res; -

if (flags & OCSP_NOCHAIN) {

flags & 0x8	Description
TRUE	never evaluated
FALSE	evaluated 25 times by 1 test Evaluated by: libcrypto.so.1.1

0-25

67 untrusted = NULL; -

} else if (bs->certs && certs) {

never executed: end of block

bs->certs	Description
TRUE	evaluated 15 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 10 times by 1 test Evaluated by: libcrypto.so.1.1

certs	Description
TRUE	evaluated 15 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-15

69 untrusted = sk_X509_dup(bs->certs); -

for (i = 0; i < sk_X509_num(certs); i++) {

i < sk_X509_num(certs)	Description
TRUE	evaluated 17 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 15 times by 1 test Evaluated by: libcrypto.so.1.1

15-17

if (!sk_X509_push(untrusted, sk_X509_value(certs, i))) {

!sk_X509_push(...lue(certs, i))	Description
TRUE	never evaluated
FALSE	evaluated 17 times by 1 test Evaluated by: libcrypto.so.1.1

0-17

72 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE); -

goto f_err;

never executed: goto f_err;

74 } -

}

executed 17 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

} else if (certs != NULL) {

executed 15 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

certs != ((void *)0)	Description
TRUE	evaluated 10 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-15

77 untrusted = certs; -

} else {

executed 10 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

79 untrusted = bs->certs; -

}

never executed: end of block

81 init_res = X509_STORE_CTX_init(ctx, st, signer, untrusted); -

if (!init_res) {

!init_res	Description
TRUE	never evaluated
FALSE	evaluated 25 times by 1 test Evaluated by: libcrypto.so.1.1

0-25

83 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB); -

goto f_err;

never executed: goto f_err;

85 } -

86 -

87 X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER); -

88 ret = X509_verify_cert(ctx); -

89 chain = X509_STORE_CTX_get1_chain(ctx); -

if (ret <= 0) {

ret <= 0	Description
TRUE	evaluated 9 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 16 times by 1 test Evaluated by: libcrypto.so.1.1

9-16

91 i = X509_STORE_CTX_get_error(ctx); -

92 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, -

93 OCSP_R_CERTIFICATE_VERIFY_ERROR); -

94 ERR_add_error_data(2, "Verify error:", -

95 X509_verify_cert_error_string(i)); -

goto end;

executed 9 times by 1 test: goto end;

Executed by:

libcrypto.so.1.1

97 } -

if (flags & OCSP_NOCHECKS) {

flags & 0x100	Description
TRUE	never evaluated
FALSE	evaluated 16 times by 1 test Evaluated by: libcrypto.so.1.1

0-16

99 ret = 1; -

100

goto end;

never executed: goto end;

101 } -

102 /* -

103 * At this point we have a valid certificate chain need to verify it -

104 * against the OCSP issuer criteria. -

105 */ -

106 ret = ocsp_check_issuer(bs, chain); -

107 -

108 /* If fatal error or valid match then finish */ -

109

if (ret != 0)

ret != 0	Description
TRUE	evaluated 13 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1

3-13

110

goto end;

executed 13 times by 1 test: goto end;

Executed by:

libcrypto.so.1.1

111 -

112 /* -

113 * Easy case: explicitly trusted. Get root CA and check for explicit -

114 * trust -

115 */ -

116

if (flags & OCSP_NOEXPLICIT)

flags & 0x20	Description
TRUE	never evaluated
FALSE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1

0-3

117

goto end;

never executed: goto end;

118 -

119 x = sk_X509_value(chain, sk_X509_num(chain) - 1); -

120

if (X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED) {

X509_check_tru..., 180, 0) != 1	Description
TRUE	evaluated 3 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-3

121 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_ROOT_CA_NOT_TRUSTED); -

122

goto err;

executed 3 times by 1 test: goto err;

Executed by:

libcrypto.so.1.1

123 } -

124 ret = 1; -

125

}

never executed: end of block

126

end:

code before this statement never executed: end:

127 X509_STORE_CTX_free(ctx); -

128 sk_X509_pop_free(chain, X509_free); -

129

if (bs->certs && certs)

bs->certs	Description
TRUE	evaluated 30 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 25 times by 1 test Evaluated by: libcrypto.so.1.1

certs	Description
TRUE	evaluated 30 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-30

130

sk_X509_free(untrusted);

executed 30 times by 1 test: sk_X509_free(untrusted);

Executed by:

libcrypto.so.1.1

131

return ret;

executed 55 times by 1 test: return ret;

Executed by:

libcrypto.so.1.1

132 -

133 err: -

134 ret = 0; -

135

goto end;

executed 3 times by 1 test: goto end;

Executed by:

libcrypto.so.1.1

136 f_err: -

137 ret = -1; -

138

goto end;

never executed: goto end;

139 } -

140 -

141 int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer, -

142 STACK_OF(X509) *extra_certs) -

143 { -

144 int ret; -

145 -

146 ret = ocsp_find_signer(signer, bs, extra_certs, 0); -

147

return (ret > 0) ? 1 : 0;

executed 2 times by 1 test: return (ret > 0) ? 1 : 0;

Executed by:

libcrypto.so.1.1

(ret > 0)	Description
TRUE	evaluated 2 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-2

148 } -

149 -

150 static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, -

151 STACK_OF(X509) *certs, unsigned long flags) -

152 { -

153 X509 *signer; -

154 OCSP_RESPID *rid = &bs->tbsResponseData.responderId; -

155

if ((signer = ocsp_find_signer_sk(certs, rid))) {

(signer = ocsp...k(certs, rid))	Description
TRUE	evaluated 20 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 37 times by 1 test Evaluated by: libcrypto.so.1.1

20-37

156 *psigner = signer; -

157

return 2;

executed 20 times by 1 test: return 2;

Executed by:

libcrypto.so.1.1

158 } -

159

if (!(flags & OCSP_NOINTERN) &&

!(flags & 0x2)	Description
TRUE	evaluated 37 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-37

160

(signer = ocsp_find_signer_sk(bs->certs, rid))) {

(signer = ocsp...->certs, rid))	Description
TRUE	evaluated 26 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 11 times by 1 test Evaluated by: libcrypto.so.1.1

11-26

161 *psigner = signer; -

162

return 1;

executed 26 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

163 } -

164 /* Maybe lookup from store if by subject name */ -

165 -

166 *psigner = NULL; -

167

return 0;

executed 11 times by 1 test: return 0;

Executed by:

libcrypto.so.1.1

168 } -

169 -

170 static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id) -

171 { -

172 int i; -

173 unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash; -

174 X509 *x; -

175 -

176 /* Easy if lookup by name */ -

177

if (id->type == V_OCSP_RESPID_NAME)

id->type == 0	Description
TRUE	evaluated 23 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 71 times by 1 test Evaluated by: libcrypto.so.1.1

23-71

178

return X509_find_by_subject(certs, id->value.byName);

executed 23 times by 1 test: return X509_find_by_subject(certs, id->value.byName);

Executed by:

libcrypto.so.1.1

179 -

180 /* Lookup by key hash */ -

181 -

182 /* If key hash isn't SHA1 length then forget it */ -

183

if (id->value.byKey->length != SHA_DIGEST_LENGTH)

id->value.byKey->length != 20	Description
TRUE	never evaluated
FALSE	evaluated 71 times by 1 test Evaluated by: libcrypto.so.1.1

0-71

184

return NULL;

never executed: return ((void *)0) ;

185 keyhash = id->value.byKey->data; -

186 /* Calculate hash of each key and compare */ -

187

for (i = 0; i < sk_X509_num(certs); i++) {

i < sk_X509_num(certs)	Description
TRUE	evaluated 65 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 36 times by 1 test Evaluated by: libcrypto.so.1.1

36-65

188 x = sk_X509_value(certs, i); -

189 X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL); -

190

if (!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH))

!memcmp(keyhash, tmphash, 20)	Description
TRUE	evaluated 35 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 30 times by 1 test Evaluated by: libcrypto.so.1.1

30-35

191

return x;

executed 35 times by 1 test: return x;

Executed by:

libcrypto.so.1.1

192

}

executed 30 times by 1 test: end of block

Executed by:

libcrypto.so.1.1

193

return NULL;

executed 36 times by 1 test: return ((void *)0) ;

Executed by:

libcrypto.so.1.1

194 } -

195 -

196 static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain) -

197 { -

198 STACK_OF(OCSP_SINGLERESP) *sresp; -

199 X509 *signer, *sca; -

200 OCSP_CERTID *caid = NULL; -

201 int i; -

202 sresp = bs->tbsResponseData.responses; -

203 -

204

if (sk_X509_num(chain) <= 0) {

sk_X509_num(chain) <= 0	Description
TRUE	never evaluated
FALSE	evaluated 16 times by 1 test Evaluated by: libcrypto.so.1.1

0-16

205 OCSPerr(OCSP_F_OCSP_CHECK_ISSUER, OCSP_R_NO_CERTIFICATES_IN_CHAIN); -

206

return -1;

never executed: return -1;

207 } -

208 -

209 /* See if the issuer IDs match. */ -

210 i = ocsp_check_ids(sresp, &caid); -

211 -

212 /* If ID mismatch or other error then return */ -

213

if (i <= 0)

i <= 0	Description
TRUE	never evaluated
FALSE	evaluated 16 times by 1 test Evaluated by: libcrypto.so.1.1

0-16

214

return i;

never executed: return i;

215 -

216 signer = sk_X509_value(chain, 0); -

217 /* Check to see if OCSP responder CA matches request CA */ -

218

if (sk_X509_num(chain) > 1) {

sk_X509_num(chain) > 1	Description
TRUE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 9 times by 1 test Evaluated by: libcrypto.so.1.1

7-9

219 sca = sk_X509_value(chain, 1); -

220 i = ocsp_match_issuerid(sca, caid, sresp); -

221

if (i < 0)

i < 0	Description
TRUE	never evaluated
FALSE	evaluated 7 times by 1 test Evaluated by: libcrypto.so.1.1

0-7

222

return i;

never executed: return i;

223

if (i) {

i	Description
TRUE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 1 time by 1 test Evaluated by: libcrypto.so.1.1

1-6

224 /* We have a match, if extensions OK then success */ -

225

if (ocsp_check_delegated(signer))

ocsp_check_delegated(signer)	Description
TRUE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-6

226

return 1;

executed 6 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

227

return 0;

never executed: return 0;

228 } -

229

}

executed 1 time by 1 test: end of block

Executed by:

libcrypto.so.1.1

230 -

231 /* Otherwise check if OCSP request signed directly by request CA */ -

232

return ocsp_match_issuerid(signer, caid, sresp);

executed 10 times by 1 test: return ocsp_match_issuerid(signer, caid, sresp);

Executed by:

libcrypto.so.1.1

233 } -

234 -

235 /* -

236 * Check the issuer certificate IDs for equality. If there is a mismatch with -

237 * the same algorithm then there's no point trying to match any certificates -

238 * against the issuer. If the issuer IDs all match then we just need to check -

239 * equality against one of them. -

240 */ -

241 -

242 static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret) -

243 { -

244 OCSP_CERTID *tmpid, *cid; -

245 int i, idcount; -

246 -

247 idcount = sk_OCSP_SINGLERESP_num(sresp); -

248

if (idcount <= 0) {

idcount <= 0	Description
TRUE	never evaluated
FALSE	evaluated 16 times by 1 test Evaluated by: libcrypto.so.1.1

0-16

249 OCSPerr(OCSP_F_OCSP_CHECK_IDS, -

250 OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA); -

251

return -1;

never executed: return -1;

252 } -

253 -

254 cid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId; -

255 -

256 *ret = NULL; -

257 -

258

for (i = 1; i < idcount; i++) {

i < idcount	Description
TRUE	never evaluated
FALSE	evaluated 16 times by 1 test Evaluated by: libcrypto.so.1.1

0-16

259 tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId; -

260 /* Check to see if IDs match */ -

261

if (OCSP_id_issuer_cmp(cid, tmpid)) {

OCSP_id_issuer_cmp(cid, tmpid)	Description
TRUE	never evaluated
FALSE	never evaluated

262 /* If algorithm mismatch let caller deal with it */ -

263

if (OBJ_cmp(tmpid->hashAlgorithm.algorithm,

OBJ_cmp(tmpid-...thm.algorithm)	Description
TRUE	never evaluated
FALSE	never evaluated

264

cid->hashAlgorithm.algorithm))

OBJ_cmp(tmpid-...thm.algorithm)	Description
TRUE	never evaluated
FALSE	never evaluated

265

return 2;

never executed: return 2;

266 /* Else mismatch */ -

267

return 0;

never executed: return 0;

268 } -

269

}

never executed: end of block

270 -

271 /* All IDs match: only need to check one ID */ -

272 *ret = cid; -

273

return 1;

executed 16 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

274 } -

275 -

276 static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, -

277 STACK_OF(OCSP_SINGLERESP) *sresp) -

278 { -

279 /* If only one ID to match then do it */ -

280

if (cid) {

cid	Description
TRUE	evaluated 17 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-17

281 const EVP_MD *dgst; -

282 X509_NAME *iname; -

283 int mdlen; -

284 unsigned char md[EVP_MAX_MD_SIZE]; -

285

if ((dgst = EVP_get_digestbyobj(cid->hashAlgorithm.algorithm))

(dgst = EVP_ge...== ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 17 times by 1 test Evaluated by: libcrypto.so.1.1

0-17

286

== NULL) {

(dgst = EVP_ge...== ((void *)0)	Description
TRUE	never evaluated
FALSE	evaluated 17 times by 1 test Evaluated by: libcrypto.so.1.1

0-17

287 OCSPerr(OCSP_F_OCSP_MATCH_ISSUERID, -

288 OCSP_R_UNKNOWN_MESSAGE_DIGEST); -

289

return -1;

never executed: return -1;

290 } -

291 -

292 mdlen = EVP_MD_size(dgst); -

293

if (mdlen < 0)

mdlen < 0	Description
TRUE	never evaluated
FALSE	evaluated 17 times by 1 test Evaluated by: libcrypto.so.1.1

0-17

294

return -1;

never executed: return -1;

295

if ((cid->issuerNameHash.length != mdlen) ||

(cid->issuerNa...ngth != mdlen)	Description
TRUE	never evaluated
FALSE	evaluated 17 times by 1 test Evaluated by: libcrypto.so.1.1

0-17

296

(cid->issuerKeyHash.length != mdlen))

(cid->issuerKe...ngth != mdlen)	Description
TRUE	never evaluated
FALSE	evaluated 17 times by 1 test Evaluated by: libcrypto.so.1.1

0-17

297

return 0;

never executed: return 0;

298 iname = X509_get_subject_name(cert); -

299

if (!X509_NAME_digest(iname, dgst, md, NULL))

!X509_NAME_dig... ((void *)0) )	Description
TRUE	never evaluated
FALSE	evaluated 17 times by 1 test Evaluated by: libcrypto.so.1.1

0-17

300

return -1;

never executed: return -1;

301

if (memcmp(md, cid->issuerNameHash.data, mdlen))

memcmp(md, cid...h.data, mdlen)	Description
TRUE	evaluated 4 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	evaluated 13 times by 1 test Evaluated by: libcrypto.so.1.1

4-13

302

return 0;

executed 4 times by 1 test: return 0;

Executed by:

libcrypto.so.1.1

303 X509_pubkey_digest(cert, dgst, md, NULL); -

304

if (memcmp(md, cid->issuerKeyHash.data, mdlen))

memcmp(md, cid...h.data, mdlen)	Description
TRUE	never evaluated
FALSE	evaluated 13 times by 1 test Evaluated by: libcrypto.so.1.1

0-13

305

return 0;

never executed: return 0;

306 -

307

return 1;

executed 13 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

308 -

309 } else { -

310 /* We have to match the whole lot */ -

311 int i, ret; -

312 OCSP_CERTID *tmpid; -

313

for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++) {

i < sk_OCSP_SI...ESP_num(sresp)	Description
TRUE	never evaluated
FALSE	never evaluated

314 tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId; -

315 ret = ocsp_match_issuerid(cert, tmpid, NULL); -

316

if (ret <= 0)

ret <= 0	Description
TRUE	never evaluated
FALSE	never evaluated

317

return ret;

never executed: return ret;

318

}

never executed: end of block

319

return 1;

never executed: return 1;

320 } -

321 -

322 } -

323 -

324 static int ocsp_check_delegated(X509 *x) -

325 { -

326

if ((X509_get_extension_flags(x) & EXFLAG_XKUSAGE)

(X509_get_exte...lags(x) & 0x4)	Description
TRUE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-6

327

&& (X509_get_extended_key_usage(x) & XKU_OCSP_SIGN))

(X509_get_exte...age(x) & 0x20)	Description
TRUE	evaluated 6 times by 1 test Evaluated by: libcrypto.so.1.1
FALSE	never evaluated

0-6

328

return 1;

executed 6 times by 1 test: return 1;

Executed by:

libcrypto.so.1.1

329 OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE); -

330

return 0;

never executed: return 0;

331 } -

332 -

333 /* -

334 * Verify an OCSP request. This is fortunately much easier than OCSP response -

335 * verify. Just find the signers certificate and verify it against a given -

336 * trust value. -

337 */ -

338 -

339 int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, -

340 X509_STORE *store, unsigned long flags) -

341 { -

342 X509 *signer; -

343 X509_NAME *nm; -

344 GENERAL_NAME *gen; -

345 int ret = 0; -

346 X509_STORE_CTX *ctx = X509_STORE_CTX_new(); -

347 -

348

if (ctx == NULL) {

ctx == ((void *)0)	Description
TRUE	never evaluated
FALSE	never evaluated

349 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, ERR_R_MALLOC_FAILURE); -

350

goto err;

never executed: goto err;

351 } -

352 -

353

if (!req->optionalSignature) {

!req->optionalSignature	Description
TRUE	never evaluated
FALSE	never evaluated

354 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_REQUEST_NOT_SIGNED); -

355

goto err;

never executed: goto err;

356 } -

357 gen = req->tbsRequest.requestorName; -

358

if (!gen || gen->type != GEN_DIRNAME) {

!gen	Description
TRUE	never evaluated
FALSE	never evaluated

gen->type != 4	Description
TRUE	never evaluated
FALSE	never evaluated

359 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, -

360 OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE); -

361

goto err;

never executed: goto err;

362 } -

363 nm = gen->d.directoryName; -

364 ret = ocsp_req_find_signer(&signer, req, nm, certs, flags); -

365

if (ret <= 0) {

ret <= 0	Description
TRUE	never evaluated
FALSE	never evaluated

366 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, -

367 OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); -

368

goto err;

never executed: goto err;

369 } -

370

if ((ret == 2) && (flags & OCSP_TRUSTOTHER))

(ret == 2)	Description
TRUE	never evaluated
FALSE	never evaluated

(flags & 0x200)	Description
TRUE	never evaluated
FALSE	never evaluated

371

flags |= OCSP_NOVERIFY;

never executed: flags |= 0x10;

372

if (!(flags & OCSP_NOSIGS)) {

!(flags & 0x4)	Description
TRUE	never evaluated
FALSE	never evaluated

373 EVP_PKEY *skey; -

374 skey = X509_get0_pubkey(signer); -

375 ret = OCSP_REQUEST_verify(req, skey); -

376

if (ret <= 0) {

ret <= 0	Description
TRUE	never evaluated
FALSE	never evaluated

377 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNATURE_FAILURE); -

378

goto err;

never executed: goto err;

379 } -

380

}

never executed: end of block

381

if (!(flags & OCSP_NOVERIFY)) {

!(flags & 0x10)	Description
TRUE	never evaluated
FALSE	never evaluated

382 int init_res; -

383

if (flags & OCSP_NOCHAIN)

flags & 0x8	Description
TRUE	never evaluated
FALSE	never evaluated

384

init_res = X509_STORE_CTX_init(ctx, store, signer, NULL);

never executed: init_res = X509_STORE_CTX_init(ctx, store, signer, ((void *)0) );

385 else -

386

init_res = X509_STORE_CTX_init(ctx, store, signer,

never executed: init_res = X509_STORE_CTX_init(ctx, store, signer, req->optionalSignature->certs);

387

req->optionalSignature->certs);

never executed: init_res = X509_STORE_CTX_init(ctx, store, signer, req->optionalSignature->certs);

388

if (!init_res) {

!init_res	Description
TRUE	never evaluated
FALSE	never evaluated

389 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, ERR_R_X509_LIB); -

390

goto err;

never executed: goto err;

391 } -

392 -

393 X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER); -

394 X509_STORE_CTX_set_trust(ctx, X509_TRUST_OCSP_REQUEST); -

395 ret = X509_verify_cert(ctx); -

396

if (ret <= 0) {

ret <= 0	Description
TRUE	never evaluated
FALSE	never evaluated

397 ret = X509_STORE_CTX_get_error(ctx); -

398 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, -

399 OCSP_R_CERTIFICATE_VERIFY_ERROR); -

400 ERR_add_error_data(2, "Verify error:", -

401 X509_verify_cert_error_string(ret)); -

402

goto err;

never executed: goto err;

403 } -

404

}

never executed: end of block

405 ret = 1; -

406

goto end;

never executed: goto end;

407 -

408 err: -

409 ret = 0; -

410

end:

code before this statement never executed: end:

411 X509_STORE_CTX_free(ctx); -

412

return ret;

never executed: return ret;

413 -

414 } -

415 -

416 static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, -

417 X509_NAME *nm, STACK_OF(X509) *certs, -

418 unsigned long flags) -

419 { -

420 X509 *signer; -

421

if (!(flags & OCSP_NOINTERN)) {

!(flags & 0x2)	Description
TRUE	never evaluated
FALSE	never evaluated

422 signer = X509_find_by_subject(req->optionalSignature->certs, nm); -

423

if (signer) {

signer	Description
TRUE	never evaluated
FALSE	never evaluated

424 *psigner = signer; -

425

return 1;

never executed: return 1;

426 } -

427

}

never executed: end of block

428 -

429 signer = X509_find_by_subject(certs, nm); -

430

if (signer) {

signer	Description
TRUE	never evaluated
FALSE	never evaluated

431 *psigner = signer; -

432

return 2;

never executed: return 2;

433 } -

434

return 0;

never executed: return 0;

435 } -

Source code

Switch to Preprocessed file

Generated by Squish Coco 4.2.2